Thursday, February 15, 2007

How to block Skype traffic with one iptables rule

There is an interesting lecture (PDF) by Philippe Biondi and Fabrice Desclaux about how and what they learned about the Skype client code and protocol. On page 75 they give the following secret incantation for blocking Skype traffic:
iptables -I FORWARD −p udp −m length −−length 39 −m u32 −−u32 ’27&0x8f=7’ −−u32 ’31=0x527c4833’ −j DROP

6 comments:

Anonymous said...

I tried the command and got
iptables v1.4.2: Invalid rule number `−p'

Very strange, as simpler command
iptables -I FORWARD -p udp -j ACCEPT

works...

Amos Shapira said...

@Anonymous - it might help if you could copy and paste the exact command and output that you got.

Francesco said...

i doesn't work anyway , at least no more.

iptables -I FORWARD 1 -p udp -m length --length 39 -m u32 --u32 '27&0x8f=7' --u32 '31=0x527c4833' -j DROP

^ be very carefull with with spaces and tabs

Syntax said...

"I tried the command and got
iptables v1.4.2: Invalid rule number `-p'"

When I copied/pasted the rule from Firefox in Windows into a putty session, I got this:

iptables -I FORWARD .p udp .m length ..length 39 .m u32 ..u32 .27&0x8f=7. ..u32 .31=0x527c4833. .j DROP

Note that the hyphens are replaced with periods, so I ended up with this error:

[1] 9849
-su: 0x8f=7.: command not found
myhost:~# iptables v1.4.2: Invalid rule number `.p'
Try `iptables -h' or 'iptables --help' for more information.

[1]+ Exit 2 iptables -I FORWARD .p udp .m length ..length 39 .m u32 ..u32 .27

All I had to do was input the command manually and it accepted it... no problem.

Leo Carvalho said...

When I try to start the firewall with this line, I get the following error:

Couldn't load match `u32':/lib64/iptables/libipt_u32.so

I downloaded the file libipt_u32.so and placed at the directory, but then I got an error message regarding conflict of versions.

Is it there another way to make it?

Alan said...

Those having iptables related errors dont copy/paste it type it manually.

However check the date. Post is 5 years old and I can confirm this no longer functions as a working way to block skype.